Access Rights

Access Rights

Sitecore Access Rights

  • Are determined by the roles assigned to the user account
  • Accumulate for a user as the user account is added to more roles
  • Behave like NTFS permissions
  • Are not the same for all users
  • Are controlled by the admin user

Assigning Access Rights

  • Access Rights can be assigned to individual users or to roles
  • Access Rights are generally assigned to roles, not users
  • When a user is a member of multiple roles they accumulate the access rights of all the roles 

Primary Access Rights

  • Read controls whether an account can view an item in the Content Tree or view pages on the published Web site. The Read access right is required for all the remaining primary access rights
  • Write controls whether an account can update field values. The Write access right is required for the Administer access right.  The Write access right requires the following access rights:
    • Read 
    • Field Read
    • Field Write
  • Create controls whether an account can create child items under the current item. The Create access right requires the Read access right
  • Rename controls whether an account can update the name of an item. The Rename access right requires the Read access right
  • Delete controls whether an account can delete an item and its descendants. The Delete command removes both the selected item and all child items, even when the account has been denied Delete rights for one or more of the child items. The delete access right requires the Read access right
  • Administer controls whether an account can assign security permissions to an item. The Administer access right requires the Read and Write access rights

Secondary Access Rights

  • Field Read Right controls whether an account can read a specific field of an item. It is set to Allow by default
  • Field Write Right controls whether an account can update a specific field of an item. It is set to Allow by default
  • Language Read Right controls whether an account can read a specific language version of items
  • Language Write Right controls whether an account can update a specific language version of items
  • Site Enter Right controls whether an account can access a specific site
  • Workflow Command Execute Right controls whether an account is shown specific workflow commands
  • Workflow State Delete Right controls whether an account can delete items that are currently associated with a specific workflow state
  • Workflow State Write Right controls whether an account can update items that are currently associated with a specific workflow state

Types of Access Rights

  • Explicit Rights are permissions that are set directly on an item for a user account or role
  • Implicit Rights are inherted permissions assigned to an ancestor item higher in the Content Tree hierarchy

Access Permissions

  • Allow grants the associated access right for the selected account
  • Deny revokes the associated access right for the selected account
  • Inherited means that there is no explicitly assigned permissions so access is determined by access permissions assigned higher in the tree hierarchy

Access Rights Precedence

  • Permissions assigned to user accounts take precedence over permissions assigned to roles
  • Deny permissions assigned to a role take precedence over Allow permissions assigned to other roles but do not take precedence over Allow permissions assigned directly to the user account.  User permissions always take precedence over Role permissions
  • Users cannot access items where no Allow or Deny permissions have been assigned or are inherited for the user account or roles where the user account is a member

Effective Rights

  • The set of access rights assigned to the user after considering all settings that apply to the user
  • Includes explicit settings assigned to the user and all assigned roles, security inheritance, workflow state security, locking, protection, and other factors that dynamically affect access rights

Sitecore Access Rights Guidelines

  • Organize items with similar security requirements in the same hierarchy of the Content Tree
  • Assign access rights to roles, not users
  • Assign access permissions to items high in the hierarchy
  • Allow inheritance to assign implicit rights to items lower in the hierarchy
  • Most items in the Content Tree should not have an explicit Allow or Deny permission assigned to it

Preventing Access

  • Remove Allow access permissions assigned to the user or roles that the user is a member of, or remove the user from the role(s) with Allow permissions
  • Block inheritance where the access right should be denied rather than explicitly denying access rights

Sources